As online age verification has become the norm in more and more industries — from social media to adult entertainment to online gaming, marketplaces, and everything in between — many businesses have had to rethink their approach to the process.
Gone are the days when all a user needed was to complete a simple age gate or self attestation. Today, companies have many more robust options to choose from, including government ID checks, database verification, and even age estimation based on selfie verification.
The good news? All of these systems have been proven to be effective in verifying users’ ages at acceptable assurance levels.
The bad news? Most also require a company to collect and store sensitive information about their users — names, contact information, birthdates, government IDs, and selfies. This n opens up a new arena of risk: Data privacy and security.
Simply put, if they’re going to verify users’ ages, businesses must also have measures in place to protect any customer data they collected. Failure to do so can lead to potential regulatory action, in addition to damaged customer trust and brand reputation
Below, we offer a brief refresher on how age verification works and the technologies that underlie it. We also discuss why it’s so important for businesses to have a secure solution in place, and provide a number of best practices that you can use to keep your age verification strategy secure.
How does online age verification work?
Age verification is the process of verifying that a person is old enough to access age-restricted products, services, or content. The general requirement is that businesses need to verify users’ ages before users can gain access to restricted material.
Online age verification can take a couple of different shapes. Often, it will involve one or multiple of the methods below:
Government ID verification
With government ID verification, the user is prompted to use their device’s camera to take a photo of their government-issued ID. This can be a driver’s license, passport, residency card, or other ID. The ID is then analyzed for authenticity. Finally, the date of birth contained within the ID is extracted and cross-checked against information submitted by the user.
Database verification
With database verification, the user provides some combination of identifying information about themselves. In addition to date of birth, this will often include their name, contact information (phone number, email), and address. The information is then compared against a third-party database for accuracy.
Selfie verification
With selfie verification, the user is prompted to capture and upload one or multiple selfies. This selfie is then analyzed using AI — typically an ensemble model or series of micromodels — to determine how old the user is, within a reasonable margin of error. At the same time, the selfie may be analyzed for signs of tampering or being AI-generated, as well.
A combination approach
As noted above, each of the methods above has its strengths and weaknesses. That’s why multiple methods are often used together to increase assurance.
Let’s say, for example, that you require a user to verify their age by uploading a photo of their government ID. How do you know that a child didn’t steal their parent’s ID in order to access your website, or use generative AI to create a realistic fake?
Requiring the user to submit a selfie along with their ID allows you to compare the selfie against the portrait in the ID, which can help you weed out the first scenario. Meanwhile, pairing government ID verification with database verification empowers you to confirm that the information in the ID is accurate, addressing the second scenario above.
Why does data security matter when it comes to age verification?
In order to verify a user’s age, businesses must collect and store personally identifiable information (PII) about that user. Unfortunately, this PII is also a valuable target for fraudsters, who can use it to steal a user’s identity, create a synthetic identity, or engage in other types of fraud.
Failure to adequately protect this sensitive data from inappropriate access can have serious negative impacts for your business, ranging from regulatory action to diminished customer trust.
Regulations
When it comes to age verification, regulations are a double-edged sword. On the one hand are industry-specific regulations that require age verification and establish childrens’ right to use online platforms. On the other, a global patchwork of data privacy laws that limit the collection of data from minors and that dictate how that data must be protected once a business collects it.
Some important data protection regulations you should keep in mind while designing your age verification strategy include:
- The General Data Protection Regulation (GDPR)
- The Children’s Online Privacy Protection Act (COPPA)
- California Consumer Privacy Act (CCPA)
- California Privacy Rights Act (CPRA)
- Colorado Privacy Act (CPA)
- Virginia Consumer Data Protection Act (VCDPA)
- Brazil General Data Protection Act or Lei Geral de Proteção de Dados (LGPD)
Penalties for non-compliance vary significantly, but range from a few hundred to a few thousand dollars per instance.
Customer trust
Do you operate in a jurisdiction free of data privacy regulations? That doesn’t mean you’re in the clear. Even when there is no regulatory incentive to protect customer data, there are still the issues of customer trust and brand reputation that must be considered.
When a user discovers that their data privacy has been breached, it can cause serious and immediate damage to the customer trust that you’ve spent years building. This loss of trust can make your users rethink whether they want to continue doing business with you, and might even send them to your competitors. This is especially true when children’s data is involved.
Secure age verification in the digital era
If you have a goal of achieving secure age verification for your business — and really, you should! — that goal should inform your entire strategy, from the moment you select a solution through final deployment. Some best practices that can help include:
Only collect and store what you need
As a rule of thumb, businesses should aim to collect and store the bare minimum amount of customer information necessary to establish a user’s age at the required assurance level. (The same is true for businesses performing verification of any kind.)
The reason for this is two-fold. First, keeping data collection to a minimum allows you to minimize the threats associated with a data breach. The less PII you collect and store, the less of a target you are to fraudsters — and the less damage those fraudsters can realize if they breach your systems.
Second, minimizing how much data and evidence you collect during age verification helps you minimize user friction — not making the verification process too burdensome for users. This helps reduce the risk of drop offs or failed conversions.
Learn more about how Persona’s workflows empower you to tailor your age verification approach to minimize unnecessary data collection.
Follow data encryption best practices
During both the collection and storage of user data, it’s critical to follow encryption best practices to ensure that it is as secure as possible. This includes ensuring that:
- Web traffic is encrypted via HTTPS instead of the less secure HTTP protocol
- Any stored user data is encrypted using AES-256 encryption, with decryption keys stored on separate hosts and rotated on a regular basis
- Robust identity access management protocols and other internal controls are in place to limit inappropriate access by your employees and contractors
In selecting an age verification solution, you should choose a partner that is certified to whatever security and privacy standards matter most to your industry.
Learn more about the steps that Persona takes to secure and protect your user’s data and privacy.
Offer multiple verification options
Some privacy-conscious users may not be comfortable providing certain information or evidence for age verification, such as a government ID. In these instances, you may be able to keep conversions high by offering a other verification options users can choose.
Another option? Default to the verification method that introduces the lowest level of friction, which will also typically involve the least data collection. Then, based on the risk signals you detect, you can step-up verification with additional friction for users where more assurance is required.
Learn more about how Persona’s dynamic risk segmentation helps you dynamically segment your users by risk to present the ideal age verification strategy, tailored to each user.
Work with an age verification provider who will handle PII for you
One final solution to the problem of data security would be to offload the challenge completely — by selecting an age verification provider that will handle PII storage so you don’t have to.
When you don’t store user PII directly within your systems, you don’t carry the liability that comes with data leaks or breaches. This empowers you to focus on what you do best — providing a pleasant experience to your users — without needing to worry about the specifics of data security.
Learn more about how Persona’s Accounts can handle PII storage for you.
How Persona can help you achieve secure age verification
Here at Persona, data privacy and security aren’t an afterthought — they’re an integral part of our age verification solution.
Our flexible platform allows you to build the exact verification flow that your business requires, giving you complete control over what information and evidence you collect. Rest easy knowing that we’ll handle PII storage for you, and that every piece of data passing through our systems is encrypted to the highest of industry standards.
Ready to see how Persona can help you get secure age verification right? Contact us to learn more or get started for free.